Impact of the Patriot Act for Public Cloud on Privacy Policy

When using cloud services, privacy is a key issue. The applicable data protection laws / policies in Germany, Europe and USA differs. For a better understanding first few terms must be defined. In the previous article, Impact of PATRIOT Act for Public Cloud Services we discussed few points on this concern, the required legal disclaimer, citations are also available on the very article.

 

Impact of the Patriot Act for Public Cloud : Privacy Policy

 

When using cloud services, privacy is a key issue. The following are the applicable data protection laws / policies in Germany, Europe and the USA. For a better understanding first few terms must be defined. The concept of personal data is defined according to BDSG (Federal Data Protection Act) as follows:

Personal data means any information or material concerning the personal circumstances of an identified or identifiable individual (the data subject).

Health data are classified as special categories of personal data and are defined as follows:

1. Special types of personal information is information concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life.
2. Author has special Podcast on Health & Cloud Computing – search on Sound Cloud.

The issues that are relevant for data protection in the area of cloud computing, summarized: “Privacy consists of a definition of the persons who can access specific data and the manner in which compliance with an access level is ensured. questions in this context are :

1. How are files encrypted?
2. Which degrees of access permissions are there?
3. Are we allowed to outsourced data and processed by third parties?
4. What is the merit of backup copies protection ?
5. Which took part as data centers for protected against attacks?
6. What happens when new contracts are awarded?
7. How are the processes defined or treated with those complaints to customer demands for data security?
8. How often audits are conducted and what tools are used here?
9. How is the deletion of data is treated?

 

Impact of the Patriot Act for Public Cloud : The Acts

 

Data Protection Act Germany

The data protection laws in Germany based on the law at or on privacy. This right is defined by the Article 2, paragraph 1, 10 and 13 of the Basic Law . Among other things, there is the right to inviolability of the home, mail, postal, and telecommunications.

Central to this work there is the secrecy of telecommunications, as it relates to the modern ways of communication. The legal framework that defines what is covered by the secrecy of telecommunications is written down in §88 of the TKG (Telecommunications Act). It states, “the secrecy of telecommunications subject to the contents of the telecommunications and its surrounding circumstances, particularly the fact whether someone is involved in a telecommunication process or was”. “To preserve the secrecy of telecommunications each service provider is required”. There is also the duty of confidentiality even after termination of service, to the service provider continuously.

Data Protection Act EU

In Europe, a directive on data protection in the Member States has been decided on the Data Protection Directive 95/46/EC. These declines in many cases to existing national state privacy provisions of the Member States. When Member States comply with the provisions of this Directive, they ensure the protection of fundamental rights and freedoms and in particular the protection of privacy of individuals in the processing of personal data.

The principles are written down in Article 25, which says “Member States shall provide that the transfer of personal data which are undergoing processing or are intended for processing after transfer, the provisions adopted in a third country, subject to compliance by the other provisions of this Directive national legislation is permitted, if the third country ensures an adequate level of protection ”

Data Protection Act USA

Unlike in Germany, where there is a central nation-wide data protection law, which is complemented only by state laws, there are in the United States a variety of laws that define the Privacy Policy. Some of these laws that are on the federal level, are explained below. Since there are many laws at the state level, which are each State, otherwise only defines the laws are explained herein, refer to all States.

In addition, many data protection rights concerned by the so-called Common Law are defined. This means that the Supreme Court as made ??a decision in a process and these are now using it as a basis for further court proceedings. The simplest and highest expression of a paragraph on the protection of personal data is enshrined in the U.S. Constitution (U.S. Constitution), in the fourth Amendment (Amendment IV). It says:

“The right of the people to be secure in Their persons, houses, papers, and effects, against unreasonable searches and seizures, Shall not be violated, and no warrants Shall issue, but upon probable cause, supported by oath or affirmation and particularly Describing the place to be searched and the persons or things to be Seized “.

This means that the right to security of their person, houses, papers, and their property shall not be violated by unreasonable searches and seizes. It also states that a search or seizure must be carried out when a legal reason exists. In addition, while the parameters set for the search and seizure of items must be named. This law has been used by some courts as a basis for a privacy on the Internet and telecommunications networks. An important law, which refers to the privacy of the data is, the Privacy Act (Privacy Act of 1974).

A law to protect the privacy of children on the Internet is of COPPA (Children’s Online Privacy Protection Act of 1998). For the protection of credit information of the FCRA (Fair Credit Reporting Act). For this the FACTA (Fair and Accurate Credit Transactions Act) is then formed, which also includes the privacy of credit card transactions. Access to financial information by the government is defined by the RFPA (Right to Financial Privacy Act). The “Driver’s Privacy Protection Act” regulates the handling of data that is collected by the road authorities. As another example, the “Family Educational Rights and Privacy Act” is mentioned, which refers to the use of educational data.

Relevant for this work laws, which include data protection laws, are the ECPA (Electronic Communications Privacy Act) and HIPAA (Health Insurance Portability and Accountability Act) or the HITECH Act (Health Information Technology for Economic and Clinical Health Act). The ECPA is in action from the year 1986 and refers to electronic communication channels, as is clear from TITLE 1 of the Act. HIPAA, which was created in 1996 refers to the handling of health data.

Data Protection Act India

Right to privacy has long been read into Article 21 (right to life and personal liberty) of the Constitution of India. However, with the proliferating use of the internet and the exorbitant rise in transfer of data through multiple technologies, the concepts of ˜data privacy™ and ˜data protection™ have started demanding greater attention than ever before. Therefore, such concepts were introduced in the Information Technology Act, 2000 (Act) through Section 43-A (Compensation for failure to protect data) and Section 72-A (Punishment for disclosure of information in breach of lawful contract).

Section 43-A primarily deals with compensation for negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information (œSPDI). Section 72-A deals with personal information and provides punishment for disclosure of information in breach of lawful contract or without the information provider™s consent.

On 13 April 2011, the Ministry of Communications and Information Technology (MCIT), Government of India, notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules). Further, on 24 August 2011, the MCIT released a press note (Press Note) which clarified a number of provisions of the Rules. Amongst others, the Press Note clarified that the Rules relate to SPDI and are applicable to body corporate (i.e. organisation) or any person located in India. The Press Note exempts outsourcing companies in India from the provisions of collection and disclosure, as set out under the Rules.

Full credit of the paragraph above (Data Protection Act India) and more details on India’s specific Laws on Data Protection Act will be found on :

Data Protection Act Sweden

Read our article on Swiss cloud, Data Security at Competitive Prices.